This restriction requires a user to authenticate with an additional (second) factor. UserLock supports MFA through authenticator applications using time-based-one-time-passwords (TOTP). Examples include Google Authenticator and LastPass Authenticator. TOTP are widely accepted and are more secure than other options such as SMS text based authentication.
UserLock MFA can be enabled for any user, group or OU in your Domain. Choose granular settings to define your MFA policy by the type of operating system (Workstation or Server), the connection type (Local or Remote), and the frequency with which MFA is asked (at every connection, every N days.) There is also an option to help with the onboarding process to allow users to skip the MFA configuration for a defined number of days.
MFA messages displayed to the end user are customizable and you can enable an "Ask for help" button on the displayed dialogs to allow the end user to send e-mail (and consequently, applications compatible with e-mail such as Slack) and / or popup help requests to UserLock administrators responsible for implementing MFA.
In case an end user can’t log on, one-click admin actions are available in the UserLock console to temporarily disable MFA or to reset MFA key for a specific user.
In addition, ad-hoc reports allow you to see the evolution over time of the use of MFA in your environment: logon for which MFA was used, suspicious logons for which MFA has been canceled, skip reasons…
An MFA dashboard has been added in the UserLock Console to as a central place for all of these new features.
A use case page about UserLock MFA is available here.
How MFA works
When the user registers a TOTP-supporting device, a unique shared key is created. Both the device and the server can generate a time-based one-time password by processing that key along with the current time. By convention, each TOTP is good for 30 seconds. A user will log in using their regular password, then enter the current one-time password from their device.
- UserLock service version 10.0 and higher
- Windows Vista and higher or Windows Server 2008 and higher
- Only compatible with Desktop agents version 10.0 and higher
- Available for Interactive sessions only
- An authentication application must be installed on the end user smartphone
Note that the time must be correct and automatically synchronized on the UserLock server and on end-user smartphones.
Onboarding for end users
UserLock has built in functionalities to help ease the onboarding and education process for users to set up MFA on their smartphones.
We recommend that you create a user-oriented document that you will send to all users affected by MFA. You will find a sample document of this type here.
To help your organization or users choose an application, here are the most widely used:
- Google Authenticator
- Microsoft Authenticator
- LastPass Authenticator
- This is the most secure, because even if the phone is not locked, the app will automatically lock and you must provide credentials to unlock it to get the MFA code.
- 2FA Authenticator
Regardless of the application you choose, make sure that the date and time of the end users' smartphones are correct (it is recommended to set the date and time automatically), otherwise the codes generated by the application cannot be validated.
For a user's first MFA connection, this user may require assistance with the configuration.
Once MFA is enabled for a user account, at their next connection, a dialog box with a QR code will be displayed:
- The text just under “Multi-Factor Authentication” is customizable in the Settings tab.
- Other texts will be displayed according to the language of the OS of the computer currently logged on (English which is the default language, French or Spanish).
- The "Skip (N days left)" button is optional. It is disabled by default. You can enable it in the configuration of the protected accounts related to this user.
- The "Ask for help" button is optional. It is disabled by default. You can enable it in the MFA dashboard, “Settings” tab.
When this dialog box appears, the user will need to open the Authenticator application on their smartphone, then scan the barcode. For example with Google Authenticator:
In the « Add an account » step, choose « Scan a bar code » (or « Enter a provided key” if you prefer):
The MFA code is now displayed:
Fill the MFA code in the field in the dialog box, then click “Verify and Continue”.
It is recommended to inform users of the circumstances for when MFA will be asked for. (For example at every logon, at the first logon of the day, etc…)
Once correctly configured, the user will be prompted with the following dialog box for all connections that require MFA.
The user will be able to retrieve the code from the Authenticator application.
Enable MFA gradually for users, groups or OU’s:
You can select users, groups, or organizational units for which you want to enable MFA. We recommend that you choose inan implementation plan that allows for gradual user onboarding.
For example, enable MFA for an Active Directory group “HR”:
When enabling MFA for new users, consider informing them about how they will be impacted. (see the Onboarding for end users specific section).
Why are there no Multi-Factor Authentication recovery codes?
Generally, Multi-Factor Authentication recovery codes are used on SaaS applications, administered by web services, and for which an end user cannot contact an administrator on premise.
In UserLock MFA, authentication is monitored by on premise administrators who can be present to answer to help desk calls about authentication.
MFA successful feature
If the MFA code is correctly entered but another UserLock restriction refuses a connection, we cannot see the event that an MFA code has been correctly entered in the UserLock MFA reports (we can only see this only in the logs of the UserLock service).
MFA feature on Backup UserLock server
There is no MFA dashboard on Backup UserLock servers.
MFA on the web UserLock console
It is not possible to administer UserLock MFA via the UserLock web console.
MFA feature for unlocking events
It is not possible to authenticate users with UserLock MFA for unlocking events.